[prev in list] [next in list] [prev in thread] [next in thread] 

List:       systalk
Subject:    Re: [Systalk]Cracked Computer Help
From:       Andy Brezinsky <andy () mbrez ! com>
Date:       2002-02-13 21:30:28
[Download RAW message or body]

First of all, check what you are sharing!  You may have been sharing a 
directory accidently that contained some files, there may not have been a 
breach at all, just some kiddie looking at what you have shared.  If 
something is shared then see what is in that directory and check timedate 
stamps on the files.


On Wednesday 13 February 2002 09:53 am, you wrote:
> Hi Fred,
>
> > Are you sure it wasn't just a random person portscanning the machine? Do
> > you have any other evidence to think that someone broke in?  If not I
> > would look into it further.
>
>   Any suggestions on how to find evidence? The only thing I know right now
> is that someone had connected via SMB as I said (when Windows was being
> shutdown, it said "Are you sure you want to disconnect the following users:
> //harddisk/Lisa." After looking in Windows System Information, and then
> playing around with SamSpade.org I confirmed that the IP address in
> question was owned by a Californian DSL company. Beyond that though, I
> don't know anything useful about this machine.
>
> > Also, in the future you should firewall your
> > windows boxes off completely from the internet if you want to keep them
> > safe.
>
>   I'd like to, hopefully I'll get this machine switched over to Linux soon,
> although the user is a bit hesitent... they like all those MS programs. :-\
>
> > most anti-virus software sould look for those things. you may want to
> > check for any open connections by using netstat, or nmap the machine and
> > look for open ports. However, if you're sure there's been a breakin, the
> > only course of action should be a full re-install of the machine.
>
>   Well, the netbios port is open, so I'm certain they could have cracked
> into the system if they had wanted to (since the firewall had inadvertently
> put this computer in DMZ after DHCP reassigned the machine a number). BTW,
> if you are wondering why it is running netbios, that's a reminent from when
> I was running Win2k, since WinME couldn't "see" Win2k without using
> netbios.
>
>   Thanks,
>        Tim

_______________________________________________
DHS Systalk Discussion List Systalk@dhs.org
To manage your subscription, please goto:
http://www.dhs.org/mailman/listinfo/systalk
To search the archive: http://www.dhs.org/search
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic